Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers

[Brian Smith-Sweeney <bsmithsweeney () NYU EDU>]

Warren Petrofsky wrote:
> We are seeing an alarming attack trend on the Penn campus.  Please find
> below a summary and preliminary conclusions, followed by some details.
> I apologize in advance for the length of this report.  We are very
> interested in receiving suggestions and comments from the group, as well
> as getting the warning out there, as we have yet to find any reports of
> this trend, though as a colleague pointed out, the ISC Storm Center does
> show a significant spike in both sources and targets for port 6000
> between Dec. 11th and 14th 2006.
>
> Summary and Conclusion:
>
> We have seen a series of single user accounts compromised, with users
> using unique, complex (sometimes > 14char) passwords, that are only sent
> over encrypted channels.  In most cases, these users were running an
> X-server application on their Windows machine, connecting to a linux or
> Solaris server, using ssh tunneling.
>
> Our current working assumption is that there is an active compromise
> being spread via vulnerable Xserver installations on port 6000.  After
> privilege escalation is achieved, keyloggers are being installed on the
> system in general, or all transmissions to the xsession are being logged.
Hey Warren,

We've seen the same thing recently and we're pretty sure this is a
result of X11 sniffing.  A number of folks have done good writeups on
the subject, including:

The ease of (ab)using X11:
http://www.hackinglinuxexposed.com/articles/20040513.html
http://www.hackinglinuxexposed.com/articles/20040608.html

Other .EDUs guides (with much thanks to the respective authors):
http://www.stanford.edu/group/security/securecomputing/x-window/index.html
http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/#X11
http://www.biac.duke.edu/library/documentation/xwin32/Security.html

Briefly, the attacker connects to an X server and - provided the X
server has been improperly configured - they are able to grab a screen
dump, keystrokes, and anything else in the X session.  This is why
you'll find keystroke logs on host1 for host2, host3, and host4; host1
is just connecting to the X server running on the others and watching
what the  user on those remote systems is doing.  There may not be any
malware installed on host2, host3, or host4 and they may not even show
signs of compromise (if the attacker hasn't gotten around to logging
into them).

I don't think any modern *nix default installations are setup this way
but I have seen several XWindows servers running on MS Windows that I
could sniff.  And the user can always open their systems up using xhost
in its evil incarnation "xhost +".  This is traditionally done to allow
X applications to run from remote systems and display on your desktop;
as you noted, a *much* better way to do this is to forward these
connections via ssh.

We've seen attackers use the compromised user's ssh known_hosts file to
figure out where to try their credentials next.  This creates an
alarming pattern where an external attacker, seemingly without any
brute-force attack, suddenly knows one or more credentials and knows
exactly which systems to use them on.

When a machine is compromised this way I would assume any and all
credentials that the local user has there or on any remote system are in
the hands of the attacker, and should be changed immediately.  If the
user had a pubkey they authenticated with they should change that as
well.  We've found our attackers are mostly sticking to user-level
accounts, but that's likely just a matter of chance.

Hope this helps.

Cheers,
Brian


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney      Sr. Network Security Analyst
ITS Technology Security Services, New York University
bsmithsweeney () nyu edu
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~